1. Computer problem? Tech Support Guy is completely free -- paid for by advertisers and donations. Click here to join today! If you're new to Tech Support Guy, we highly recommend that you visit our Guide for New Members.

my laptop has a virus and i need help 2 fix

Discussion in 'Virus & Other Malware Removal' started by i like pie, Sep 17, 2006.

Thread Status:
Not open for further replies.
Advertisement
  1. i like pie

    i like pie Thread Starter

    Joined:
    Sep 13, 2006
    Messages:
    99
    i have my aunts laptop
    its got a bad virus. i tryed cleaning the registry like i did 4 mine but it didnt work
    when it starts up it says cannot find the file "bootini.exe or any of its components thats about all i know. please help
     
  2. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,645
    Hi and welcome to TSG,

    If you have taken anything out of startups via msconfig please go to Start – Run – type in msconfig – click OK and click on the Startup tab. Click on Enable All then Apply and OK. Then please do the following:

    Click here to download HJTsetup.exe
    • Save HJTsetup.exe to your desktop.
    • Double click on the HJTsetup.exe icon on your desktop.
    • By default it will install to C:\Program Files\Hijack This.
    • Continue to click Next in the setup dialogue boxes until you get to the Select Addition Tasks dialogue.
    • Put a check by Create a desktop icon then click Next again.
    • Continue to follow the rest of the prompts from there.
    • At the final dialogue box click Finish and it will launch Hijack This.
    • Click on the Do a system scan and save a log file button. It will scan and then ask you to save the log.
    • Click Save to save the log file and then the log will open in notepad.
    • Click on "Edit > Select All" then click on "Edit > Copy" to copy the entire contents of the log.
    • Come back here to this thread and Paste the log in your next reply.
    • DO NOT have Hijack This fix anything yet. Most of what it finds will be harmless or even required.
     
  3. i like pie

    i like pie Thread Starter

    Joined:
    Sep 13, 2006
    Messages:
    99
    i dont have that file
     
  4. i like pie

    i like pie Thread Starter

    Joined:
    Sep 13, 2006
    Messages:
    99
    msconfig. it say it not findit or any of its componants
     
  5. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,645
    Please post the HijackThis log.
     
  6. i like pie

    i like pie Thread Starter

    Joined:
    Sep 13, 2006
    Messages:
    99
    i will run the scan tonight
    it itakes forever
     
  7. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,645
  8. i like pie

    i like pie Thread Starter

    Joined:
    Sep 13, 2006
    Messages:
    99
    i tryed running hijackthis but every time i opened the file the comp closed it:mad:
     
  9. i like pie

    i like pie Thread Starter

    Joined:
    Sep 13, 2006
    Messages:
    99
    im not useing the laptop whan im posting thease so plz make it so i can put it on a memory card if ur giving me a program
     
  10. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,645
    Download The Hoster from here UnZip the file and press "Restore Original Hosts" and press "OK". Exit Program.

    Then try to open HijackThis and scan again.
     
  11. i like pie

    i like pie Thread Starter

    Joined:
    Sep 13, 2006
    Messages:
    99
    plz also keep in mind that im doing all this in safen mode because its way way way to slow in normal
    :eek:
     
  12. i like pie

    i like pie Thread Starter

    Joined:
    Sep 13, 2006
    Messages:
    99
    Logfile of HijackThis v1.99.1
    Scan saved at 7:31:39 PM, on 9/19/2006
    Platform: Windows 2000 SP3 (WinNT 5.00.2195)
    MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

    Running processes:
    C:\WINDOWS\System32\smss.exe
    C:\WINDOWS\system32\winlogon.exe
    C:\WINDOWS\system32\services.exe
    C:\WINDOWS\system32\lsass.exe
    C:\WINDOWS\system32\svchost.exe
    C:\WINDOWS\System32\WBEM\WinMgmt.exe
    C:\WINDOWS\Explorer.exe
    C:\Documents and Settings\Home\Desktop\HijackThis.exe

    R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Shaw Internet
    R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = proxy:8080
    R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
    R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)
    R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
    F2 - REG:system.ini: Shell=Explorer.exe bootini.exe
    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,bootini.exe
    O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
    O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar1.dll
    O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll
    O4 - HKLM\..\Run: [SystemTray] SysTray.Exe
    O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
    O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
    O4 - HKLM\..\Run: [SMC] C:\SMC\SMC.exe
    O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\logon.exe
    O4 - HKLM\..\Run: [Microsoft Windows] bootini.exe
    O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\System32\lssas.exe
    O4 - HKLM\..\Run: [owjyvxoA] C:\WINDOWS\owjyvxoA.exe
    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
    O4 - HKLM\..\Run: [ntdll.dll] C:\Program Files\Kztyx\Rkhx.exe
    O4 - HKCU\..\Run: [swg] C:\Program Files\Google\GoogleToolbarNotifier\1.0.720.3640\GoogleToolbarNotifier.exe
    O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\MSN Messenger\MsnMsgr.Exe" /background
    O4 - HKCU\..\Run: [Microsoft Windows] bootini.exe
    O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
    O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
    O14 - IERESET.INF: START_PAGE_URL=http://start.shaw.ca
    O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.microsoft.com/windowsupdate/v6/V5Controls/en/x86/client/wuweb_site.cab?1157722614147
    O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
    O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
    O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SG9tZQ\command.exe
    O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
    O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINDOWS\System32\dmadmin.exe
    O23 - Service: Microsoft Windows HDA Service - Unknown owner - C:\WINDOWS\System32\dllcache\svhda.exe
    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe
    O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
    O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
    O23 - Service: Symantec SPBBCSvc (SPBBCSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SPBBC\SPBBCSvc.exe
    O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
    O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\owjyvxo.exe
    O23 - Service: Microsoft Windows Spooler Services (Windows Spooler Services) - Unknown owner - C:\WINDOWS\wfbmgr.exe
     
  13. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,645
    Please download Brute Force Uninstaller to your desktop.
    • Right click the BFU folder on your desktop, and choose Extract All
    • Click "Next"
    • In the box to choose where to extract the files to,
    • Click "Browse"
    • Click on the + sign next to "My Computer"
    • Click on "Local Disk (C: or whatever your primary drive is)
    • Click "Make New Folder"
    • Type in BFU
    • Click "Next", and Uncheck the "Show Extracted Files" box and then click "Finish".
    RIGHT-CLICK HERE and choose "Save As" (in IE it's "Save Target As") in order to download Alcra PLUS Remover.
    Save it in the same folder you made earlier (c:\BFU).

    Do not do anything with this yet!

    Reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping F8 until a menu appears. Highlight Safe Mode and hit enter.


    Then, please go to Start > My Computer and navigate to the C:\BFU folder.
    • Start the Brute Force Uninstaller by doubleclicking BFU.exe
    • Behind the scriptline to execute field click the folder icon [​IMG] and select alcanshorty.bfu
    • Press Execute and let the program do its job. (You ought to see a progress bar if you did this correctly.)
    • Wait for the complete script execution box to pop up and press OK.
    • Press exit to terminate the BFU program.
    Reboot into normal windows.


    Reboot and post a new HijackThis log please. See if you can get one take from normal mode this time.
     
  14. i like pie

    i like pie Thread Starter

    Joined:
    Sep 13, 2006
    Messages:
    99
    my laptop cant conect to the internet i cant do any of that and i cant boot it up in normal
    mode so none of this helps
     
  15. Cookiegal

    Cookiegal Administrator Malware Specialist Coordinator

    Joined:
    Aug 27, 2003
    Messages:
    101,645
    Click Start - Run - and type in:

    services.msc

    Click OK.

    In the services window find Command Service.
    Right click and choose "Properties". On the "General" tab under "Service Status" click the "Stop" button to stop the service. Beside "Start-up Type" in the dropdown menu select "Disabled". Click Apply then OK. Exit the Services utility.

    Note: You may get an error here when trying to access the properties of the service. If you do get an error, just select the service and look there in the top left of the main service window and click "Stop" to stop the service. If that gives an error or it is already stopped, just skip this step and proceed with the rest.


    Repeat the above for all of these services:

    Microsoft Windows HDA Service
    Network Monitor
    Windows Overlay Components
    Microsoft Windows Spooler Services



    Click Here and download Killbox and save it to your desktop but don’t run it yet. Try installing it on the infected computer from a floppy.


    Go to Control Panel - Add/Remove programs and remove these, if there:

    Internet Optimizer
    TheSearchAccelerator

    Rescan with HijackThis, close all browser windows except HijackThis, put a check mark beside these entries and click fix checked.


    R3 - URLSearchHook: (no name) - _{02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)

    R3 - URLSearchHook: (no name) - _{A8B28872-3324-4CD2-8AA3-7D555C872D96} - (no file)

    R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll

    F2 - REG:system.ini: Shell=Explorer.exe bootini.exe

    F2 - REG:system.ini: UserInit=C:\WINDOWS\System32\userinit.exe,bootini.exe

    O3 - Toolbar: UCmore XP - The Search Accelerator - {44BE0690-5429-47f0-85BB-3FFD8020233E} - C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll

    O4 - HKLM\..\Run: [Windows Logon Application] C:\WINDOWS\System32\logon.exe

    O4 - HKLM\..\Run: [Microsoft Windows] bootini.exe

    O4 - HKLM\..\Run: [Local Security Authority Service] C:\WINDOWS\System32\lssas.exe

    O4 - HKLM\..\Run: [owjyvxoA] C:\WINDOWS\owjyvxoA.exe

    O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"

    O4 - HKLM\..\Run: [ntdll.dll] C:\Program Files\Kztyx\Rkhx.exe

    O4 - HKCU\..\Run: [Microsoft Windows] bootini.exe

    O23 - Service: Command Service (cmdService) - Unknown owner - C:\WINDOWS\SG9tZQ\command.exe

    O23 - Service: Microsoft Windows HDA Service - Unknown owner - C:\WINDOWS\System32\dllcache\svhda.exe

    O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe

    O23 - Service: Windows Overlay Components - Unknown owner - C:\WINDOWS\owjyvxo.exe

    O23 - Service: Microsoft Windows Spooler Services (Windows Spooler Services) - Unknown owner - C:\WINDOWS\wfbmgr.exe


    Then boot to safe mode:


    How to restart to safe mode


    Double-click on Killbox.exe to run it.
    • Put a tick by Standard File Kill.
    • In the "Full Path of File to Delete" box, copy and paste each of the following lines one at a time:

      C:\Program Files\Deskbar
      C:\Program Files\TheSearchAccelerator
      C:\WINDOWS\System32\lssas.exe
      C:\WINDOWS\System32\bootini.exe
      C:\WINDOWS\System32\logon.exe
      C:\WINDOWS\owjyvxoA.exe
      C:\Program Files\Internet Optimizer
      C:\Program Files\Kztyx
      C:\WINDOWS\SG9tZQ\command.exe
      C:\WINDOWS\System32\dllcache\svhda.exe
      C:\Program Files\Network Monitor
      C:\WINDOWS\owjyvxo.exe
      C:\WINDOWS\wfbmgr.exe


    • Click on the button that has the red circle with the X in the middle after you enter each file.
    • It will ask for confirmation to delete the file.
    • Click Yes.
    • Continue with that procedure until you have pasted all of these in the "Paste Full Path of File to Delete" box.
    • Killbox may tell you that one or more files do not exist.
    • If that happens, just continue on with all the files. Be sure you don't miss any.
    • Next in Killbox go to Tools > Delete Temp Files
    • In the window that pops up, put a check by ALL the options there except these three:
      • XP Prefetch
      • Recent
      • History
    • Now click the Delete Selected Temp Files button.
    • Exit the Killbox.


    Boot back to Windows normally and post another HijackThis log please. Let me know if you can connect to the Internet after doing the above.
     
  16. Sponsor

As Seen On
As Seen On...

Welcome to Tech Support Guy!

Are you looking for the solution to your computer problem? Join our site today to ask your question. This site is completely free -- paid for by advertisers and donations.

If you're not already familiar with forums, watch our Welcome Guide to get started.

Join over 733,556 other people just like you!

Loading...
Thread Status:
Not open for further replies.

Short URL to this thread: https://techguy.org/502066